In case you aren't aware, a new General Data Protection Regulation has been adopted by the European Union and will be going into effect on May 25, 2018. You'll be forgiven for not being aware because I only found out about it yesterday. Our friends at Bravo Fleet have graciously shared with us the information that they have already put together for their fleet, which I have copied below. Their actual announcement can be found here.

What this means for Pegasus Fleet is that we will be rolling out changes to the privacy policy, which will include mandatory conforming privacy policies implemented on each of our member sims. It will also mean some changes to the application pages regarding getting informed consent.

I'll be keeping everyone updated on what's going on. Bravo Fleet will be sharing information with me as well so the fleets can be on the same page with regards to keeping up with the new policies. So be sure to watch this space for more information.

The information contained within this post and the communications with Bravo Fleet on this topic ("Communication") were prepared for informational purposes only. The Communication is not intended to be and should not be considered legal advice. The Communication is provided only as general information and may be incomplete and/or not reflect the most current legal developments. None of the Communication is intended to constitute an attorney-client relationship. You should not act upon any of this Communication without consulting professional legal counsel.

As you may have already heard, the General Data Protection Regulation ("GDPR"), adopted by the European Union in 2016, goes into full effect on May 25, 2018. Between this and the growing concerns over Internet privacy as a whole, Bravo Fleet has decided to offer some general guidance to our players, sims and staff regarding the collection, management and processing of personal information.

Why should you read this? Beyond simply respecting fellow members of this wonderful community because, if you are found in violation, penalties can be as high as €20 million for a website that produces no revenue (like a sim site).

What is GDPR?

GDPR is a legal framework designed to give individuals greater control over their personal data including not just physical information like names and postal addresses but also digital information like email and IP addresses. Under GDPR, websites must provide privacy policies, cookie policies, easy opt-out, breach notifications and reasonable security precautions, and they are restricted from using personal information for anything outside the stated purpose of why the individual provided it without receiving the individual's explicit consent.

While GDPR technically only protects the rights of EU citizens, it does so globally, whether or not you or your server reside within the EU. As long as an EU citizen can visit your website, you must comply with GDPR. Thus, in the context of Bravo Fleet, we recommend that all sim sites immediately take steps to comply with GDPR.

What about other privacy regulations?

In the process of preparing this recommendation, a legal review was also conducted of other international privacy laws. The recommendations provided forthwith are also intended to comply with the United States Electronic Communications Privacy Act, the Australia Privacy Act, the Canada Personal Information Protection and Electronic Documents Act, the Mexico Law on the Protection of Personal Data Held by Private Parties, the California Online Privacy Protection Act and the California Information Practices Act, among others. All EU privacy regulations besides GDPR have been, or are about to be (before May 25, 2018), deprecated by GDPR, hence why they were not considered separately.

The recommendations herein explicitly do not satisfy the requirements of Russia, Kazakhstan, China, Indonesia and Columbia, and it may not satisfy other regulations that were not directly considered.

What do I need to do to comply with privacy regulations?

The key of Internet privacy is informed consent by the individual.

If you are ever in doubt, measure the action you're about to take against whether you have received consent to take it. For example, when a user signs up for your sim, they give their email address to receive mission post emails and sim announcements. If you email them about something unrelated or you give their email address to someone outside the explicit purpose of your sim, you would be in violation of the GDPR and other international privacy laws.

Beyond this basic principle, we recommend concrete steps to comply:

1. Privacy Policy - Your website must have a privacy policy, which should be linked to from all pages (typically in the footer of your website). This privacy policy must be written in simple readable terms (not complex legalese) and explain, at minimum:

a. how you capture data;

b. what data you store;

c. how, if at all, you respect do not track browser signals;

d. how long you intend to keep the data;

e. how people can access and how you share the data you have stored; and

f. how an individual may request their data removed from your system.

In discussing how you capture and handle data, you should account not just for the data you directly collect when they sign up but also for your server logs and cookies. It you use Google Analytics or another tracking tool, that must also be explicitly disclosed, along with the purpose of such tools.

2. "Your California Privacy Rights" Page - Your website should include a page entitled "Your California Privacy Rights" with the following text (substituting in place of the placeholders): "If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your personal information by [INSERT: ORGANIZATION] to third parties for the third parties’ direct marketing purposes. To make such a request, please [INSERT: CONTACT INSTRUCTIONS]."

3. Website Security - Your website must implement a reasonable level of security. Assuming you are using standard simming software such as Nova, forum, or blogging software, this means mostly just configuration settings:

a. enable SSL, which you can do with a free certificate from https://letsencrypt.org or, if you use bravofleet.games for hosting, by contacting @aio;

b. ensure your server and software are up-to-date and check regularly for updates; and

c. use strong passwords for your database and any account that can access others' information.

4. No Implied Consent - Your website should not pre-check any checkboxes regarding agreeing to terms or allowing the release of an individual's information. Nova and most forum and blog software already handle this correctly by listing terms and asking the user to press an "Agree" button.

5. Include Privacy Policy in Sign Up Terms - Your sim registration agreement to which an applicant must "Agree" (such as the Join Disclaimer in Nova) should include an acknowledgement that the user has read and agrees to your privacy policy and is agreeing to receive communications related to your sim.

6. Age of Consent - Because age of consent varies by country (even in the GDPR), rather than sorting through the varying laws for every applicant, we recommend adding to your sign up terms a statement such as "I affirm that I have the full right and authority to enter into this Agreement, including that I am of the age of majority in [INSERT: WEB HOST COUNTRY] and my own country." You may also include a clause allowing a parent or guardian to enter into the Agreement on behalf of the Individual. This is completely separate from your sim age rating.

7. Easy Withdrawal of Permission - Your website should make it easy for a user to delete their account and all personal information associated with it. We are currently working with Anodyne Productions to add a feature for users to delete their own accounts, but even without this, at bare minimum, you should, in your privacy policy, provide an email address a user may contact to have their account and all personal information deleted. Because personal information also includes IP addresses captured in your access logs, we recommend also setting an auto-delete policy on access logs after a short number of days to avoid manually clearing this data upon the departure of an individual.

8. IP Tracking - Do not store an individual's IP address (beyond your access logs, which should be deleted regularly), nor place third-party code or embeds on your site that track a user's activity. If you intend to do this, you will need to look into additional rules about this (beyond the scope of our recommendation).

9. Advertising and Marketing - Do not use an individual's personal information for any purpose other than simming (not even a simple email about something else), and do not provide an individual's personal information to any third party (no ads, marketing or lead generation tools). If you intend to do any of these things, you will need to look into additional rules about this (beyond the scope of our recommendation).

10. Data Breach Notification - If you suffer a data breach, you should notify all individuals with personal information that was compromised immediately. You should also consult individual privacy laws regarding additional requirements (beyond the scope of our recommendation).

By what date do I need to comply?

Although we recommend you comply as soon as possible, because some of these recommendations stem from other laws, we recommend all sim sites come into compliance no later than May 24, 2018 in order to meet the deadline for GDPR enforceability.

Is there any help available to comply?

In order to help our members, Bravo Fleet will be releasing a sample privacy policy, cookie policy, do not track policy, and Your California Privacy Rights page by May 14, 2018 in order to hopefully make it easier for our members to comply.

Additionally, Bravo Fleet is currently working with Anodyne Productions to see if we can release an update to Nova including the ability for users to delete their own accounts in order to better comply with the easy opt-out provision of GDPR.

Questions or concerns may be directed to JonM and the Bravo Fleet Command Council, although remember we are no replacement for the advice of a legal professional.

TL;DR

A TL;DR isn't a fitting replacement for reading this, but here's a recap...